From 5d21632ea70e1c7de7becb7ab6227b06b1535a83 Mon Sep 17 00:00:00 2001 From: bndw Date: Sat, 14 Feb 2026 10:02:52 -0800 Subject: feat: add separate read/write allowlists for granular access control - Split allowed_npubs into allowed_npubs_read and allowed_npubs_write - Write operations: Publish, Delete, Create, Update, Insert, Remove, Set, Put - Read operations: everything else (Query, Subscribe, Get, List, etc.) - Auth interceptor checks appropriate list based on method type - Enables common patterns: - Public relay: only some can write, everyone can read - Private relay: restricted read and write - Open relay: everyone can read and write - Updated config, docs, and comprehensive tests Use cases: "only some can write, everyone can read" --- internal/auth/README.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'internal/auth/README.md') diff --git a/internal/auth/README.md b/internal/auth/README.md index df0de6a..366e110 100644 --- a/internal/auth/README.md +++ b/internal/auth/README.md @@ -209,9 +209,20 @@ authOpts := &auth.InterceptorOptions{ - **`TimestampWindow`**: Maximum age of events in seconds (default: 60) - **`Required`**: Whether to reject unauthenticated requests (default: false) - **`ValidatePayload`**: Whether to verify payload hash when present (default: false) -- **`AllowedNpubs`**: Optional whitelist of allowed pubkeys (nil = allow all) +- **`AllowedNpubsRead`**: Optional whitelist of allowed pubkeys for read operations (nil = allow all) - Config accepts npub format only (human-readable bech32) - Automatically normalized to hex format (computer-readable) at config load time + - Controls access to Query, Get, List, Subscribe, and other read methods +- **`AllowedNpubsWrite`**: Optional whitelist of allowed pubkeys for write operations (nil = allow all) + - Config accepts npub format only (human-readable bech32) + - Automatically normalized to hex format (computer-readable) at config load time + - Controls access to Publish, Delete, Create, Update, and other write methods + +**Access Control Patterns:** +- **Public relay**: Set `AllowedNpubsWrite` (only some can publish), leave `AllowedNpubsRead` empty (everyone can read) +- **Private relay**: Set both lists (restricted read and write access) +- **Open relay**: Leave both empty (everyone can read and write) +- **Read-only relay**: Set `AllowedNpubsRead`, block all writes ### NostrCredentials Options -- cgit v1.2.3